Study: 7 of 13 Top Rated Antivirus Fail Against HTTPS Exploits

NSS Labs tested the ability of 13 popular security suites to block a couple recent exploits, both over HTTP and secure HTTPS. Surprisingly, several big names failed partially or totally when the attack came over HTTPS.

You don't hear about Texas-based NSS Labs as much as you do about such companies as AV-Test.org and AV-Comparatives.org. That isn't because the researchers aren't busy; it's because the vast majority of their research is commissioned by large companies for internal use.

From time to time they release findings to the public, notably their studies on how well browsers block Web malware . NSS researchers have a major test of consumer endpoint security in the works. In preparation for that, they've just released a mini-test that evaluates how well popular security suites handle Web-based exploits. The results will surprise you.

Exploits are attacks that attempt to gain control of victim systems through unpatched vulnerabilities in the operating system, the browser, or popular third-party applications. For this mini-test, the researchers started with two Microsoft vulnerabilities that were patched in June and July of 2012. Users who didn't apply those patches would be vulnerable.

Test Methodology Rather than use any known malicious code or pre-packaged penetration tests, the researchers built their own exploits, two for each vulnerability. One exploit launched a program on the victim system (in this case the innocuous calc.exe). The other opened a remote access backdoor shell on the victim.

For testing, they installed 13 popular security suite on test systems lacking critical patches for the two vulnerabilities. They launched each attack against each test system, first over a standard HTTP connection and then over a secure HTTPS connection. The results, shown in the table below, are surprising.

Avast, Kaspersky, McAfee, and Trend Micro stood firm against exploits, blocking all four attacks over HTTP and over HTTPS. ESET and Norton did fine with the HTTP-based attacks, but missed half over HTTPS. AVG and Avira also blocked all HTTP-based attacks but didn't block any attacks that came in over HTTPS.

CA Total Defense, F-Secure, and Microsoft also had trouble with HTTPS. They blocked half of the attacks over HTTP, but none over HTTPS. At the bottom, Norman and Panda blocked just one attack. On the plus side, they managed to block it whether it came in via HTTP or HTTPS.

ConclusionsThe report points out that HTTPS connections are common, and that users can't assume HTTPS traffic is free of exploits. NSS Labs recommends that anyone using one of the security products that ran into trouble with HTTPS in this test should double-check that they've got all current patches in place. To make that task easier, the report suggests using a patch management tool like Secunia Personal Software Inspector 3.0.

Vendors whose products bombed under HTTPS may be able to slip in a fix before the full-scale consumer endpoint protection report in late 2012. You can view the full text of the mini-report on the NSS Labs website.

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.